[
https://issues.apache.org/jira/browse/HDDS-7393?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
István Fajth updated HDDS-7393:
-------------------------------
Parent: HDDS-7333
Issue Type: Sub-task (was: Improvement)
> Root CA certificate revocation
> ------------------------------
>
> Key: HDDS-7393
> URL: https://issues.apache.org/jira/browse/HDDS-7393
> Project: Apache Ozone
> Issue Type: Sub-task
> Components: Security
> Reporter: István Fajth
> Assignee: István Fajth
> Priority: Major
> Labels: pki
>
> Revoking the root CA certificate effectively means the system has to
> re-create all certificates used internally, and with that it is a tedious
> process.
> Prerequisite for this task is to have all the certificate rotation logic
> implemented, but in case of revocation we need to do the process in an
> expedited way within just a few hours tops without causing impacts to the
> service.
> The procedure should involve a few things:
> - at start a new root CA certificate has to be created, and similarly as when
> the root CA certificate is being rotated, new subordinate CA certificates
> have to be created and rotated in
> - as the next step all certificates in the system has to be revoked, and
> renewed during the default grace period within which the certificates are
> renewed after revocation
> - once all the certificates are renewed, the old subordinate CA certificates
> and the rootCA certificate has to be revoked as well
> - once the services notice the revocation of the old rootCA certificate, the
> old rootCA certificate has to be removed from the trust stores of active and
> to be created connections
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
